It seems like every week there is another news story about business people or vacationers traveling abroad and unexpectedly finding themselves in dangerous situations. Last month a French national and American woman studying in Brazil reported being held hostage and brutally sexually assaulted after boarding a public transport van at the Copacabana Beach in Rio de Janeiro. The attack allegedly was committed by three men who used a metal bar to force other passengers out of the van. The van was one of a fleet of public transport vehicles used to shuttle passengers from the beach. Adding insult to injury, the assailants also went on a spending spree with the victims’ credit cards.
Two weeks ago, David Gordon, an American contractor working in Afghanistan, was detained and beaten by Afghan police because of a commercial dispute. It took U.S. diplomatic authorities two days to get him released after Afghan officials demanded a payment of $2.4 million. At the time of his arrest, Gordon was in the country working on a project completely unrelated to the contract dispute leading to his arrest.
Alan Gross remains in jail in Cuba three years after being arrested for attempting to set up an internet network for Cuban Jews under the auspices of the U.S. Agency for International Development. He was tried, convicted, and sentenced to fifteen years for espionage. Diplomatic efforts to secure his release have failed to date.
According to the U.S. Department of State, 3,500 Americans were jailed overseas in 2010. It is not known what percentage of these relate to incidents similar to those described above, but it is important to remember that Americans traveling in a foreign jurisdiction do not necessarily have due process or other protections from local unjust laws and customs. Local criminal justice is only as fair as the government administering it.
The safest way to travel is to be accompanied by a trusted, trained and locally knowledgeable security professional. When selecting executive protection services for travel, whether for business or pleasure, training, knowledge of local law enforcement and customs, length of private sector experience, and the availability of similarly qualified “back-up” personnel are important factors to consider. Local and back-up resources should include field personnel, as well as intelligence sources, and access to high-tech counter-surveillance, information, communication, and other equipment.
If you are not traveling with a security escort, it is ESSENTIAL to have an emergency action plan. Who should you call if you encounter a problem clearing customs? Become ill? Are arrested? Experience a dangerous or catastrophic situation? Always call the U.S. Consulate first in any of these situations, but if you have been given contact information for local resources, have their backgrounds been verified? Do you know what they look like? Could recognize them in an emergency? These are just a few issues to consider when planning a trip abroad, especially to high-risk areas.
Following the travel safety tips and guidelines below will increase your chances of embarking on a safe and successful trip, regardless of where or how you are traveling.
PERSONAL SECURITY WHILE EN ROUTE
Notify your family and agents of your dates of departure and return as well as local contact information.
In public places, sit near other people, aisles or doors and be aware of emergency exits.
Stay awake and alert when using public transportation.
Use a money belt to hide your passport, money, or credit cards. But leave some money in your pocket or bag to satisfy a mugger if you are robbed.
Keep valuables out of sight and keep your luggage and handbag close. Keep a wallet in your front pants pocket.
If mugged, surrender your belongings. Never struggle with a thief.
Look for travel advisories or warnings before leaving.
Dress casually to avoid drawing attention to yourself.
Be aware of local customs.
Do not wear excess jewelry. Reduce wallet and purse contents, particularly cards denoting affiliations, memberships, accounts, etc.
Proceed through airport security and go to the boarding area as quickly as possible. Do not linger in shopping areas or food courts.
Be wary of crowds, where pickpockets can jostle and distract you.
Be careful when using telephone calling cards. Look for people observing you dial or speak your code.
PERSONAL SECURITY IN HOTELS
Discuss your daily itinerary with as few strangers as possible and never in public areas.
Select hotel rooms on the third to fifth floor — out of reach of street criminal activity but within reach of fire truck ladders.
Never entertain strangers in your hotel room.
Beware of overly friendly locals.
Never leave valuables in your hotel room, even in a locked suitcase.
Place valuables such as money, jewelry, airplane tickets, credit cards, and passports in a hotel safe deposit box or room safe.
Familiarize yourself with hotel exit routes.
Use the chain or bolt lock whenever in your room.
Use the peephole before opening the door.
Never discuss your room number while in the lobby or leave your room key on restaurant tables.
Keep your room neat so you will notice missing items quickly.
During a fire alarm, take your key.
CARJACKINGPRECAUTIONS
When in your car, always keep the doors locked and keep your windows up.
Leave ample maneuvering space between your vehicle and the one in front of you.
If you are approached by suspicious persons while stopped, don’t open your windows; drive away quickly.
If you are being followed or harassed by another driver, find the nearest police station, hotel, or other public facility, park as close as you can, and run inside.
If another driver tries to force you to pull over or cut you off, keep driving and try to get away.
If you are being followed, never lead the person back to your home. Drive to the nearest police station, public facility, or other safe place.
Always report any type of vehicular harassment to the local police.
When traveling alone and a car “bumps” into you, don’t stop to exchange information. Go to the nearest service station and call the police.
Never pick up hitchhikers!
When you park, look for a spot with good lighting and lots of people nearby. Lock valuables in the trunk.
Be extra careful when shopping! If you plan on returning to the stores after taking packages outside to lock them in your trunk, move your car to another area to give the impression you’re leaving.
If you are followed to your car, return to a safe area and contact the authorities.
If you have car trouble on the road, raise your hood and place a handkerchief on your radio antenna. When people stop to help, stay in your car. Ask the “good Samaritan” to stop at the nearest service station and report your problem.
Be wary of assistance from strangers. If you feel threatened, lock yourself in your car and blow the horn to attract attention from others.
When walking to your car, have your keys in your hand. Do not talk on your phone. Notice your surroundings. Is anyone following you? Walk through a couple rows of vehicles if you feel someone is following you. If they alter their direction, immediately return to safety and contact security.
PREVENTING SEXUAL OR OTHER ASSAULTS
Be alert. Don’t assume that you are always safe. Your best protection is avoiding dangerous situations.
Trust your instincts. If you feel uncomfortable in any situation, leave.
Always walk, drive, and park in well-lit areas.
Walk confidently at a steady pace on the side of the street facing traffic.
Walk close to the curb. Avoid doorways, bushes, and alleys.
Wear clothes and shoes that allow freedom of movement.
Always lock all windows and doors in your home.
If strangers telephone or come to the door, never divulge that you are alone.
If someone asks to use your phone, have him wait outside while you make the call.
If you are visiting a high-risk area, it is always best to hire private security personnel throughout your journey. But by following these tips, you can help keep yourself out of harm’s way, even when traveling alone.
Four hundred fifty-eight people were killed at work by another person using a gun or some other type of weapon during 2011. Homicide is the leading cause of workplace death for women in the United States. While Congress and state legislatures focus on restricting the sale of guns as a means of reducing murderous rampages outside the home, incidents of non-fatal workplace attacks, which are defined as rape or sexual assault, robbery, or aggravated or simple assault, numbered almost 600,000 during 2009, the most recent year for which this statistic is available. And violent crime is only the tip of the iceberg. The U.S. Department of Labor Occupational Safety and Health Administration (OSHA) defines workplace violence as threats, verbal assaults and bullying, as well as physical attacks. Using that definition, approximately two million workers are victimized annually by their co-workers or the public they serve.
Workplace violence is an ever-present danger for which corporations, private organizations, and educational institutions need to be prepared. No organization can prevent every act of real or attempted violence, but every employer can take steps to provide their employees with a safe work environment.
What can be done?
OSHA has published guidelines for various high-risk groups, such as taxi-drivers, health care workers, and late-night retail store employees. But regardless of the industry, OSHA and the U.S. Government Office of Personnel Management (OPM) stress the importance of conducting adequate pre-employment screening of new hires to weed out previously violent, volatile, or unstable individuals. Stop the problems before they begin by identifying possible perpetrators.
But thorough vetting is not enough.
1. Establish Adequate Security Processes and Procedures
It is critical for an employer to establish security processes and procedures which keep dangerous, unstable, or violent third parties out of the workplace. Individually coded card key access, employee-badging, and locked entries and exits need to be assessed and fine-tuned regularly to ensure that they are customized to fit each specific organization’s needs. Businesses, schools, and military bases all have to prepare for and sometimes deal with workplace violence, but steps can be taken to mitigate internal and external incursions and threats.
Schools must protect students, teachers, coaches, other staff, and parents and other family members throughout the day and at after-school activities. An open school environment with classrooms, offices, locker rooms, gymnasiums, outdoor fields and other facilities present more security challenges than a business office with only one main entrance and a rather consistent set of employee occupants.
2. Develop a Workplace Violence Protection Program
OSHA recommends that every employer establish a no-tolerance policy for workplace violence, including any form of bullying and verbal or nonverbal threats. An employer should clearly define workplace violence in its Code of Conduct or other policies and procedures and provide multiple methods for reporting incidents of workplace violence.
To foster this policy, employers should make clear that no employee will suffer reprisals for reporting inappropriate conduct, and should establish a protocol for investigating reports of workplace violence and taking disciplinary and remedial action.
Create an Incident Response Team who will be responsible for addressing immediate threats. Develop a protocol and guidelines, and conduct drills, to prepare this team to respond appropriately to small and large, fatal and non-fatal incidents. If larger, more dangerous incidents do occur, all security staff, not just the Incident Response Team, must be well trained in the appropriate procedures to effectively and efficiently neutralize the dangerous party and minimize collateral damage.
By effectively implementing a top-down, management-supported Workplace Violence Protection Program, organizations can provide a safe and healthy working environment for all employees and guests, and minimize damage when unexpected events occur.
3. Conduct a Threat, Risk and Vulnerability Assessment regularly
An adequate threat, risk and vulnerability (TRV) assessment requires that C-suite personnel as well as representatives from security, human resources, legal, employee safety, and risk management functions, regularly analyze the workplace environment and identify any potential hazards and fix them. Top-down risk management insures identification of issues at every level of an organization and support for the design and implementation of immediate remedies.
Records that should be reviewed include at the very least incident reports, records relating to injuries or illnesses, sick-time records, workers compensation claims, records of damage or theft to equipment or data, other internal complaints, and all reports made to law enforcement.
Threat assessment is crucial to the initial stages of implementing a Violence Protection Program, to insure the biggest risk areas are pinpointed and corrected as soon as possible. Continual review of company policies and procedures is also necessary to insure ongoing safety.
4. Assess the Physical and Operational Security of the Workplace, and Address Weaknesses
The physical and operational security of a workplace should be evaluated by conducting a survey of the entire workplace premises, including parking facilities, as well as by reviewing reports of any crimes or incidents that have occurred recently. Security cameras, metal detectors, and alarm systems are important elements of a robust physical security program, and must be installed properly and used correctly by internal security staff.
Secure entranceways, with bullet-proof and shatter-proof glass, should be installed in areas where members of the public are allowed access to the workplace, especially in high risk areas like hospitals, banks, and schools. Working locks should be installed on all doors and windows. Silent alarm buttons should be available and in working order in all necessary areas, like classrooms and reception areas, and appropriate personnel should be provided with handheld radios.
Hallways and access ways should be kept clear of any large objects that could hinder evacuation during an emergency. Bright lighting indoors and outdoors should be used to promote safety at night. Consult OSHA’s guidelines for a full list of other appropriate security measures.
5. Provide Training to Employees
Training and education ensures that all employees recognize their duties and responsibilities to provide their colleagues with a safe environment and are able to identify emerging risks. All employees should be trained to respond to every level of workplace violence, including catastrophic events.
Every employee should receive training from the CEO down to the line-level staff member. Training also should be conducted regularly and should be updated to address new concerns or emerging risks. Any changes in physical security features should be identified to all employees immediately.
According to the Harvard Business Review we create 2.5 exabytes of data daily. An exabyte is 1 quintillion bytes. A quintillion is 1 followed by eighteen zeros. To put this in context, in 1986 there were about 2.5 exabytes in existence everywhere. This was before the widespread creation and dissemination of digital information; obviously, the rate of data creation accelerated after the advent of the internet. In 2000, there were only about 55 exabytes around. That’s barely three weeks’ worth of data creation in 2013.
More significant than size, is where and in what format this information exists. Ninety percent is what is called unstructured data: digital information not contained within formal databases that is generally uncollectible or unusable using standard correlative methodologies. Unstructured data consists of such things as GPS signals emitted by cell phones and automobiles, webpages, tweets, internet search histories, pdf’s or handwritten notes. Altogether this is called “Big Data” and the world is literally drowning in it.
No one really knows where or when the phrase Big Data was first used, although Steve Lohr from the New York Times credits Dr. John Mashey, a Silicon Valley pioneer, with giving this tiny phrase the expansive meaning it has today. Initially, Big Data meant just that: information files too large to be stored or analyzed on 20th century hardware. Using Google’s public description of its very sophisticated slicing and dicing of the data it harvested to create the web, Doug Cutting and Mike Cafarella created software that stacked and processed all forms of digital information on multiple servers simultaneously. Cutting named the software Hadoop, after the nickname his toddler son gave to his favorite stuffed elephant.
Once data could be Hadooped, it was not long before digital scientists developed software designed to extract meaning from this trove of information. Amazon and Google were early creators of Big Data analytics. They designed algorithms that identified their users’ wants and interests by tracking and cataloging earlier purchases and search histories. But Big Data software should and can do much more than that.
Effective Big Data analytics discovers hidden patterns, creates context for decision-making by turning data-points into a cohesive story, and helps solve problems by determining why things happen and predicting when they will happen in the future. Big Data was used by Netflix to create the new blockbuster hit, House of Cards, and by linguists and literary historians to determine that Jane Austen and Sir Walter Scott had the greatest impact on 19th and 20th century writers. Kaiser Permanente, the health care giant, uses it to track its patients’ medical treatments and outcomes, and discovered early on the harmful side effects of Vioxx.
New Big Data platforms store and process structured and unstructured data at speeds never contemplated by digital scientists as recently as ten years ago. The review and interpretation of information that used to require three days of mainframe computing now happens in ten minutes. Information technology has conquered the three V’s confounding business intelligence, economists, and other professional prognosticators for years: volume, velocity, and variety.
But is Big Data just a 21st century parlor trick? Are we interpolating and extrapolating ourselves into delusion or oblivion? Isn’t it really just another marketing tool developed to help big business sell more widgets?
MIT Professors Andrew McAfee and Eryk Brynjolffson sought to measure the efficacy of Big Data analytics used by a range of businesses and concluded it was a “Management Revolution.” Using empirical methods, they determined that businesses which collected, stored, and analyzed relevant internal and external data using Big Data methodologies were more successful, better run, and better able to anticipate and respond to change than their counterparts who did not.
Privacy and other concerns have caused legislators and legal scholars to call for greater regulation of Big Data collection and the ability of consumers to “opt out” without having to live off the grid, while at the same time acknowledging that the beneficial effects of using Big Data to anticipate the lethal side effects of new drugs or help regulators detect illegal activity before its effects can be felt outweigh its resemblance to Big Brother.
Big Data skeptics, like editorial writer David Brooks, are quick to point out that even the best tested algorithm augmented by the most advanced form of artificial intelligence, which is the “special sauce” of all successful Big Data platforms, do not take social cognition into account, are unable to weigh the relevance of intersecting multiple contexts, create spurious, albeit statistically relevant correlations, and obscure values in the decision-making process.
These criticisms may be valid, but Big Data is here to stay and is changing the investigative, corporate compliance and integrity monitoring world.
Using its own Big Data analytic platform, developed with FusionExperience, a UK-based technology firm, Guidepost Solutions is able to conduct investigations of possible FCPA, ITAR, OFAC, BSA, AML, OECD, and UK Bribery violations around the world in half the time and for half the cost. Our analytic platform, called Guidepost Insight, collects structured data from any pre-existing internal or external database, unstructured data from virtually any resource, including the web, indexes every word number and symbol, and using simple, case-specific rules, designed in conjunction with our clients and industry experts and powered by artificial intelligence, sifts through terabytes zeroing in on problem areas, employees, or transactions.
Using a business procedure overlay called Business Optix, Guidepost Insight can be used as a compliance monitor that identifies “exceptions” to legally required procedures and processes. Using Insight and Optix together, Guidepost is the ultimate integrity-monitoring system, applicable to any industry or business model. In the construction or other project monitoring world, it derives data from multiple external and internal resources, as disparate as site access control signals and waste hauling trip tickets, to identify no-show employees, code violations, theft, and other forms of fraud and waste. It displays the results of these analyses in a visual format that highlights normal and abnormal relationships and hot spots of possible illegal activity.
Big Data is a big deal because it performs sophisticated investigative and analytical tasks in what used to take weeks or months, using expensive and imprecise human capital, in days or hours, using less expensive and more precise electronic software. It creates a better and more complete data-picture, enabling professionals to perform the more important tasks of making decisions, managing risk, enforcing laws, and regulating industries in a better-informed and more reliable way.
Former Congressman Michael Oxley, co-sponsor of the Sarbanes-Oxley Act (SOX), speaking at the Distinguished Speakers Series hosted by SolutionPoint International, parent of Guidepost Solutions, a global investigative and security consulting firm, expressed regret in not attempting to regulate the alternative investment market when he could. “You cannot have a multi-trillion dollar market with no transparency,” Oxley said. Failure to regulate it led to “disastrous results,” he said. He explained that SOX was designed to “restore investor confidence and…instill transparency and accountability to capital markets,” after the collapse of Enron, in much the same way Dodd-Frank was passed to prevent the “excessive risk-taking with OPM…other people’s money…in the over the counter derivatives market, which was opaque and unregulated.” Ten years later, SOX has done what it set out to do according to Oxley. “There hasn’t been another Enron or WorldCom since,” the SEC began enforcing SOX.
Oxley called the JOBS Act, “A worth experiment,” but cautioned, “The jury’s still out on whether [the JOBS Act] creates jobs and is effective.” When asked if he was concerned about the SOX suspension, he replied, “Investors have been burned twice in a short period of time and they are going to be careful when investing.”
In the meantime, here are five steps to take when doing business with or considering investing in an EGC:
1. Give credit to companies that choose to comply with SOX even when they don’t have to.
If a company is exempt from SOX, yet still chooses to comply, it shows an ethical “tone at the top.” Voluntary compliance shows that a company is planning for the long term and has nothing to hide. It also shows a company that recognizes investment in internal controls and heightened compliance early makes good business sense; incorporating the cost of SOX compliance into their ongoing operations from the start insures that ethics will never be sacrificed for profit.
2. Look carefully at the principals and professionals retained by EGCs.
When EGCs do decide to take advantage of the suspension, look carefully at who they are and who they have hired to bring them to market. The lawyer representing Caribbean West Marketing had been previously sanctioned by the SEC and disbarred by New York State. Is the start-up using reputable auditors and lawyers who regularly works for companies who are SOX-compliant or did it retain inexperienced, small-time professionals to cut costs and cut corners? Cutting corners in critical areas early on suggests a lack of appreciation for the importance of corporate integrity.
3. Examine the balance sheets of EGCs with a magnifying glass.
Take extra care when reviewing balance sheets that have not withstood SOX scrutiny. Even a small inconsistency or slight deviation from industry norms could signal potentially dangerous holes in the company’s financial reporting procedures and internal controls. Any error, large or small, is a red flag.
4. Ask lots of questions and if the answers don’t make sense, more than SOX is missing.
An EGC should expect that management, operations, and the entire business will be scrutinized by investors, vendors, and customers alike. They should be willing and able to provide answers to every question. If they don’t satisfactorily answer your questions or refuse to provide transparency, this is a warning sign.
5. Put a premium on compliance of all kinds at any company with which you do business.
When companies try hard from the beginning to place a premium on ethics and compliance in all aspects of their operations, it usually means they value their investors and customers and take pride in what they do and how they do it. You should look for companies that are willing to go the extra mile from the beginning.
According to Chinese astrology, 2012 was the year of the dragon. The rapid uptick of Chinese investment in U.S companies as well as IPO’s of Chinese-based businesses on U.S. Exchanges bore this out. 2013 is the year of the snake. If the SEC and DOJ continue to bring enforcement and criminal actions against US companies and professional firms doing business in China and Chinese businesses seeking capital in the U.S. at the same rate it did in 2012, the endemic danger of doing business with or in China will continue to poison this brand of economic expansion.
Politics aside, Chinese investment in either direction has been fraught with problems. ABC News reports that since 2010 more than 70 Chinese companies have been delisted or left NASDAQ and the New York Stock Exchange because of suspected fraud. Since 2009, the SEC has brought forty civil actions against Chinese companies listed on major American stock exchanges. The SEC is now directing its investigative efforts to the firms serving as middle men, such as Rodman & Renshaw, the investment bank formerly chaired by General Wesley Clark. Rodman & Renshaw, which promoted many Chinese deals, shut its brokerage business doors in September 2012, in part because of the reports that many of the Chinese companies it had been promoting were suspected of fraud.
The Chinese government forbids Western access to audit work papers and other documents, even when performed by US based service firms or on behalf of US investors, on the grounds that the audit papers may reveal state secrets. This refusal has strained diplomatic relations between the US and China but no resolution has been found to date. Revelations of recent state-sanctioned hacking against US news outlets show how far China is willing to go to find out who is sharing it considers to be its secrets.
Similarly, the same brand of background investigation and due diligence that have become commonplace outside China is illegal. Chinese data privacy and other laws make it a crime to disclose “state secrets” and as the accounting firm cases show, the Chinese courts’ definition of “state secrets,” is extremely broad.
How does one do business involving China then?
As with any effective due diligence, it is imperative to work with people who know the “locals.” While China remains behind the west in widespread creation and dissemination of public information about companies and individuals, Chinese corporations are required to make Delaware-type filings with its Administration for Industry and Commerce, and patent, trademark, and customs filings are available online. Many litigation files are public information as well, some even online. Proprietary databases available to research firms working in China contain personal information about Chinese nationals, too, including family history and province of origin.
There also is a Chinese internet presence, including social networks. Monitored or not, there is a wealth of information on the Chines web and no law prohibits mining this information.
More important, however, is having a network of trusted individuals familiar with the region or industry where you are doing business and the reputations and histories of the companies or individuals with whom you intend to do business.
Whether it is the year of the dragon or snake, access to data and intelligence is critical to doing business in China.
Guidepost Solutions has worked in Asia for over thirty years and has ongoing relationships with Hong Kong based business intelligence firms doing business in China. Guidepost is particularly well-suited to conduct the types of due diligence inquiries necessary to give US investors and partners comfort.
In addition to legal costs, fines are also on the horizon for poor data security. As NetworkWorld reports, the government is increasingly imposing financial penalties on firms of all types and sizes that do not follow proper data security guidelines. The result is that the cost of implementing good data security decreases, and the potential cost of not having a good data loss prevention program in place increases.
Data must be protected at every resting place and throughout all means of transit. “At rest” data is data which is stored in a location such as a server in a data center or on a company laptop. Often, companies only encrypt data while it is in transit, so that criminals cannot intercept the data while it is transferred between parties and locations. “At rest” data encryption is often neglected, as was the case Hospice of North Idaho. An employee laptop containing data about 441 patients was stolen out of a car, meaning that the medical patient data on the laptop’s hard drive was completely accessible and vulnerable to anyone who had possession of the laptop. In this case, the Department of Health and Human Services chose to send a message by fining the small non-profit $50,000 for failing to encrypt the patient data on the hard drive, as is required by the Health Insurance Portability and Accountability Act (HIPAA). The message was clear: no one is exempt from legal regulations requiring the protection of sensitive data.
Using the experienced, non-biased eyes of an external party, not blinded by familiarity, is the best way to evaluate your security system and procedures. A company such as Hospice of North Idaho that has a lot of expertise in patient care is not necessarily going to have internal computer data security experts. Guidepost Solutions’ team of security experts can help your company conduct a thorough review of all your data security procedures and implement a program to ensure you comply with all government regulations. Contact us today for more information.
Human trafficking is a global problem. Human trafficking is an illegal industry that generates approximately $32 billion in revenue and victimizes up to two million people worldwide every year with an estimated 15,000 to 18,000 of them in the United States.
The most common forms of human trafficking are sexual exploitation (forced prostitution or sexual enslavement) and forced labor (modern-day slavery), but other forms include the harvesting of human organs for profit and forcing people to smuggle drugs or fight in an armed conflict. According to the U.S State Department, approximately 80% of human trafficking victims are women and girls and up to 50% are minors.
What can we do to combat human trafficking? The Polaris Project is an NGO based in the U.S. that operates the National Human Trafficking Resource Center (NHTRC), with a national, toll-free telephone hotline available 24/7 to receive any tips about incidents of human trafficking in the United States. If you ever hear about an incident that could involve human exploitation, you are encouraged to report it to the hotline at 1-888-3737-888, so that they can follow up with the proper authorities.
Safe Horizon is the nation’s largest provider of services for crime victims, and through their Anti-Trafficking Program Safe Horizon provides support to human trafficking survivors. If someone you know is a victim of human trafficking, please call Safe Horizon’s 24-hour toll-free Hotline at 1-800-621-HOPE (4673).
Another thing that you can do to combat human trafficking is to write to your representatives in Congress and support the efforts of politicians who attempt to bring attention to the issue and obtain funding for initiatives to fight the problem. The federal government has programs in various departments that work to prevent human exploitation by investigating and shutting down trafficking rings and prosecuting traffickers. The Anti-Human Trafficking Task Force Initiative (a partnership between the DOJ, FBI, ICE, and other agencies) and the Anti-Trafficking Persons Division of the Department of Health and Human Services are good examples of federal programs that you can support and help spread awareness of.
Human trafficking is a large and complex problem that cannot be solved overnight, but by raising awareness and supporting those institutions that are working to eliminate this global scourge, we can all be part of the long term fight to combat the exploitation of humans.
This spring, on April 2, I will be moderating a top-notch panel at the Dow Jones Compliance Symposium in DC on the high cost of FCPA investigations. The experienced panel of Jamie Gorelick, Ty Cobb and Kevin J. O’Connor knows the issues from both sides. I’d like to hear from anyone out there who has suggestions for controlling costs while conducting a credible and effective FCPA investigation. If you are not sure that your suggestions will pass muster with the regulators, send them along anyway and I will put them to the panel. After all, there will be years of prosecutorial experience on the podium to make an honest appraisal.
Some things to think about:
I divide costs into direct and indirect. Examples of direct costs would be legal, accounting, investigative and public relations fees. Examples of indirect costs would be loss of market value, diversion of executive talents, malaise and stagnation.
These categories are not perfect, but you get the idea.
And in my view, what is the single greatest accelerator of all Direct and Indirect costs: It is TIME.
And in my view, what is the second biggest accelerator of all Direct and Indirect costs: It is PUBLIC KNOWLEDGE.
Notice, the seriousness of the allegations is not a factor, except to the extent that it impacts or is impacted by time and the public knowledge. Why is that? I think one reason is that we fail to make the distinction between, well, the Big Mac and the Dollar Menu Burger. Both are burgers, but they are not the same.
You may agree or disagree or have additional thoughts. I would like to hear them.
So where does this analysis take us? I think it is a starting point to thinking about how resources now spent on investigations could be better spent on solutions. After all, once you know the key wrongdoers, the ones who should be punished, isn’t it best to focus on how to change the system that allowed them to operate and, for a time, succeed.
Don’t misunderstand me. I am a great believer in individual responsibility. That is why I would rather see key individuals punished and the rest of the budget used to make sure it does not happen again, rather than spend enormous sums of money with very limited returns in terms of punishment and responsibility. (Unless you consider the cost of the investigation itself to be a legitimate punishment. I do not.)
Enough for this first discussion. Perhaps in the future we can discuss negotiating an investigation the same way you would negotiate a resolution of a case. Also, how and when a voluntary disclosure is made might be an influence on the scope of the investigation required. Another thought, how has BIG DATA and the resultant analytics provided tools to test a company’s compliance and thus possibly dramatically reduce investigative costs? Of course, that raises the question about analytics that we all have heard in another context: are we there yet? I think we are. Please let me hear from you. I will be blogging from time to time until we have our panel on April 2.
When visiting foreign countries that are known for their computer espionage, whether for business or personal reasons, travelers must use common sense in regards to their cyber security behavior. As a recent article in InfoWorld points out, U.S. government and independent security firms have published security warnings and studies detailing the threats to data security while traveling in “high-risk countries with significant cyber capabilities, those known to conduct cyber espionage, and those known for corporate espionage and stealing business secrets and intellectual property.” Travelers need to recognize that in some countries, NO digital device is safe, and a traveler can never assume he or she is not sufficiently important to be a target.
There are many methods that foreign agents use to steal data from unsuspecting travelers. A corporate or personal laptop left unattended in a locked hotel room could be opened and examined by a hotel employee, who is possibly working with the government or foreign business groups, while the guest is out to dinner. The entire contents of the hard drive could be copied, including proprietary business information and confidential emails. Worse, before the laptop is put back in its place, a virus could be installed that continues to spy on all of the owner’s communications and send information back to foreign computer servers once the owner returns home. Even simply using the hotel’s network to connect to the internet can be dangerous if a malicious person is monitoring and storing those communications or attempts to install a virus over the network.
There are steps that travelers can take to protect their data and communications while overseas. The number one way to prevent the stealing of data is to not bring it overseas in the first place. Travelers should use a laptop that is wiped clean when traveling abroad, so that when they return home the laptop can simply be wiped clean again to prevent the spreading of any viruses. Travelers should never leave their computers alone when they are abroad if they contain sensitive information; they should bring the devices with them even when they are simply going to dinner. The same common sense rules apply to mobile phones or tablets: when possible, only “clean” devices should be used, and they should be wiped clean again when the owner returns home. Mobile devices are especially vulnerable to over-the-air attacks in countries where the government controls the communications infrastructure and is able to silently install “updates” to phone operating systems without the owner’s knowledge or consent.
Using encryption on your laptop or mobile device is important if you absolutely must bring sensitive data along with you into at-risk countries. Most modern laptops and phones come preconfigured with standard encryption capabilities, but Department of Defense grade encryption options are also available for even more security. Turning off Bluetooth and WiFi access to your device while traveling will also limit the avenues through which hackers can attempt to access your device. This includes turning off “location services” on your device, which can track and broadcast your location in ways that you are sometimes not aware of. Finally, make sure that your antivirus software and internet firewalls are completely up-to-date and configured properly.
The bottom line when traveling abroad is that your data and communications can never be completely secure, and you can never be certain that you are not a target. Use common sense and protect yourself as much as possible when traveling in countries that are known to have significant cyber espionage operations. Contact Guidepost Solutions’ team of security experts for more information on how to protect yourself and your data when traveling abroad.
Last month, Guidepost Solutions wrote about how the Justice Department and the Securities and Exchange Commission jointly released comprehensive FCPA guidance, “A Resource Guide to the Foreign Corrupt Practices Act” (“Guidance”). The Guidance provides insight into what the Government believes are best practices that companies should follow when implementing compliance programs of all types, including statements about the Government’s expectations for due diligence and for the continual improvement of compliance programs. The Guidance should be required reading for compliance officers of all types, not only for those who manage an FCPA portfolio.
Below are some key points from the Guidance that compliance officers should keep in mind when creating and implementing company compliance programs.
1. The Government expects that compliance programs are not simply created and then left alone, but that they are implemented effectively and monitored going forward.
Companies cannot rely on creating a compliance program in name only, simply to “check the box” on the list of regulations they need to follow, and expect that the government will view that as making a good faith effort at compliance. Organizations must make a genuine effort at establishing an effective program that is headed by an executive with enough authority to make sure that procedures are followed and that the program is monitored in the future. Page 67 of the Guidance provides the guidance related to this particular point. Although the language is focused on the structure of a program, it makes clear that oversight and effective implementation are a core part of a compliance program, from the government’s point of view:
“In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.”
2. The Government gives more credence to companies that adhere to a risk-based approach to compliance, not a one-size-fits-all program.
The Guidance provides additional confirmation that the Government wants company compliance resources to be expended intelligently, using a risk-based approach. This approach involves conducting a comprehensive review of a company’s specific market and the geographic locations where business is conducted, as well as a realistic assessment of the types of violations for which the company is most at risk. This method has the added benefit of helping to avoid wasting capital and resources where they are not needed. A simple “cookie-cutter” approach to any type of compliance program is neither effective nor looked upon favorably by the government. Page 68 of the Guidance, titled “Risk Assessment,” details how the government gives more credit to companies who follow the recommended risk-based approach:
“Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.317 One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas. Devoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors may indicate that a company’s compliance program is ineffective. A $50 million contract with a government agency in a high-risk country warrants greater scrutiny than modest and routine gifts and entertainment. Similarly, performing identical due diligence on all third-party agents, irrespective of risk factors, is often counterproductive, cdiverting attention and resources away from those third parties that pose the most significant risks. DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area. Conversely, a company that fails to prevent an FCPA violation on an economically significant, high-risk transaction because it failed to perform a level of due diligence commensurate with the size and risk of the transaction is likely to receive reduced credit based on the quality and effectiveness of its compliance program.
“As a company’s risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits. The degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
3. The Government expects a company’s executive management team to set the tone for compliance at the top of the organization.
Clear management articulation of standards is a requirement for effective compliance programs, according to the Government. Compliance must start at the top, in order to be effective throughout the organization’s hierarchy. The executive team must lead by example to ensure that compliance program protocols and procedures are followed by employees below them. Page 66 highlights this point:
“Compliance with the FCPA and ethical rules must start at the top. DOJ and SEC thus evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
4. The Government expects that companies continually reevaluate their compliance programs and make process improvements based on assessments of strengths and weaknesses.
A compliance program should involve having a flexible plan that can be modified and improved when company circumstances change and when weaknesses are discovered. A truly effective compliance program that is implemented in good faith is one that is continually monitored and is changed when necessary. Conducting periodic strategic initiatives reviews and acting on the findings is one practical way that a diligent compliance officer can ensure they are monitoring and improving their program. Page 71 of the Guidance explains this point and lays out some additional examples of how companies can test and improve their programs:
“In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale. According to one survey, 64% of general counsel whose companies are subject to the FCPA say there is room for improvement in their FCPA training and compliance programs.324 An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas. For example, some companies have undertaken employee surveys to measure their compliance culture and strength of internal controls, identify best practices, and detect new risk areas. Other companies periodically test their internal controls with targeted audits to make certain that controls on paper are working in practice.”
5. In regards to training, the Government is open to a mix of both in-person and web-based training. The Government also recommends targeted training based on an employee’s expertise and role within an organization.
In the past, there was a widely-held belief that the government strongly preferred in-person training (particularly for FCPA training). The language in the recent Guidance suggests that the Government is becoming more open to modern forms of training that make use of technology. This point, and the suggestion that training is targeted to specific departments and employee types within a company, are both outlined on page 68:
“Many larger companies have implemented a mix of web-based and in-person training conducted at varying intervals. Such training typically covers company policies and procedures, instruction on applicable laws, practical advice to address real-life scenarios, and case studies. Regardless of how a company chooses to conduct its training, however, the information should be presented in a manner appropriate for the targeted audience, including providing training and training materials in the local language. For example, companies may want to consider providing different types of training to their sales personnel and accounting personnel with hypotheticals or sample situations that are similar to the situations they might encounter. In addition to the existence and scope of a company’s training program, a company should develop appropriate measures, depending on the size and sophistication of the particular company, to provide guidance and advice on complying with the company’s ethics and compliance program, including when such advice is needed urgently. Such measures will help ensure that the compliance program is understood and followed appropriately at all levels of the company.”
Creating and implementing an effective compliance program requires conscientious effort and diligent followup, regardless of the specific focus of the program. Guidepost Solutions’s team of compliance experts can advise companies on how to properly and professionally put a compliance plan into action and conduct reviews to improve it down the road. Contact us today for more information.
